Does Giving Read Permssions to Encrypted File Allow User to View It
Data security is an extensive term. It covers processes and technologies for protecting files, databases, applications, user accounts, servers, network logins, and the network itself. But if you drill down a footling in your thinking, it'due south easy to see that data security is ultimately protecting a file somewhere on your system—whether desktops or servers. While data security is a practiced umbrella term, we need to go into more details to sympathise file security.
File Security and Permissions
Every bit Microsoft reminds us, files (and folders or directories) are securable objects. They have admission or permission rights for controlling who can read, write, delete, or execute at a very granular level through Access Control Lists (ACLs). And in Linux globe, we have a similar, although far less granular, system of permissioning.
Get the Free Pen Testing Active Directory Environments EBook
"This really opened my eyes to AD security in a way defensive work never did."
Why have the concept of permissions in the first place?
Remember of an enterprise calculating environment every bit a semi-public place – you're sharing a data space with not just anyone, but other employees. So a file is non the equivalent of box with a lock preventing anyone from accessing who doesn't accept a combination or key. Well, in that location is encryption, merely we'll cover that beneath. Instead the assumption in a Windows or Linux or other operating organisation surroundings is that you desire to share resources.
The operating systems file system permission are in that location to provide a broad way to limit what can be done. For example, I want workers in another group to read our presentations, but I certainly don't desire them to edit. In that case, we'd specify — to be shown below — read and write permission for users who vest to group, and just read permission for everyone else.
In the Showtime, There Was Unix-Linux Permissions
Let's look at a very uncomplicated permissioning arrangement. It's the classic Unix-Linux model, which provides bones read-write-execute permissions and a very simple method of deciding who these permissions employ to. Information technology'southward called the user-group-other model. Effectively, it divides the user community into three classes: the owner of the file (user), all those users belonging to groups that the owner is a member of (group), and finally anybody else (other). You can see this permission structure when you run an ls –l command:
How do yous specify a permission to add or decrease from a user-group-other? There'south the Linux chmod command. Suppose I decided that I'd like other users in groups I belong to take access to my-stuff-2. dr. file, which I had been keeping private. I could practice this:
chmod g+r my-stuff-2.doc
Or now I want to take back and make private the presentation-secret.md file, which I had immune other groups to view and update:
chmod g-rw presentation-secret.doc
The Unix-Linux permission model is simple and well-suited for server security, where there are organisation-level applications accessed by a few privileged users. It is non meant for a full general user environment. For that you'll need ACLs.
What Are Admission Control Lists?
Windows has a far more complex permissioning arrangement than Linux. Information technology allows users to define a permission for any Active Directory user or group, which is represented internally by an unique number known as a SID (security identifier). Windows ACLs consist of a SID and another number representing the associated permission — read, write, execute, and more. This is called an admission mask. The SID and the mask together are referred to as an admission control entry or ACE.
Nosotros've all seen the user-friendly representation of the ACE when we view a file or folder's backdrop:
Obviously, ACLs tin make permissioning quite circuitous. In theory, you tin can have ACEs for each user that needs to admission a file or folder. No, you shouldn't do that! Instead, there's the preferred method of assigning users to a group and and so combining all those groups that demand admission to a folder into a larger group. This umbrella group is then used in the ACL. I've just described something called AGLP for Business relationship, Global, Local Permissioning, which is Windows canonical method for efficient file and folder permissioning.
And then if an employee moves to some other project (or leaves the visitor) and therefore no longer needs admission, yous only remove that user from the Agile Directory group without having to adjust the ACE in the specific folder or file.
Easy peasy in terms of file security management. And a sensible fashion to reduce security risks in an enterprise computing environs.
And Along Came File Encryption
If you're paranoid, in that location is encryption, which is certainly a valid, if extreme technique, for solving the problems of file security. Information technology may be condom, merely certainly a very impractical solution to securing file data. Windows supports encryption, and you tin turn it on selectively for folders.
Technically, Windows use both asymmetric and symmetric encryption. The asymmetric part decrypts the symmetric primal that does the actual cake encryption/decryption of the file. The user has access to the private role of the asymmetric key pair that gets the whole procedure started. And only the owner of the folder can encounter the unencrypted files.
Plainly, with one user in control of the encryption, this does not lend itself to allowing multiple users to share access to files and folders. Add on that the potential for losing admission to the disproportionate encryption key, which is kept in a certificate, and you can take a self-made ransomware assail on your hands. And yes, you should backup encryption certificates!
As we've been saying, the file organisation is where employees continue and share the content (spreadsheets, documents, presentations) that they're working on at present. It's their virtual desks, and adding a layer of encryption is liking moving things effectually and making their desk even sloppier — no one likes that! — as well as being administratively difficult to manage.
Pseudonymization: Selective File Encryption
And this brings usa to pseudonymization.
It's a GDPR-approved technique for encoding personal data in club to reduce some of the burdens of this law.
The idea is to replace personal identifiers with a random code. It'due south the aforementioned idea behind writers using pseudonyms to hide their identities. The GDPR says you lot can practise this on a larger scale as a way to lessen some of the GDPR requirements.
Generally, there would have to be an intake system that would procedure the raw data identifiers and convert them to these special codes. And in that location would have to be a master table that maps the codes dorsum into the real identifiers for those processes that need the original information.
Using this arroyo, employees could so work with pseudonymized files in which the identities of the data subjects would be hidden. The rest of the file, of class, would be readable.
Partial encryption is perhaps 1 manner to recollect about this technique.
Like encryption, pseudonymization is considered a security protection measure (see the GDPR's commodity 32), and it'southward also explicitly mentioned as a "data past protection by design and past default" or PbD technique (see article 25). It's likewise considered a personal data minimization technique — very important to the GDPR.
Will pseudonymization spread beyond the EU's GDPR and be adopted by the US in its own coming data privacy and security law? We will see!
Best File Security Practices
Enterprise computing environments are designed to help employees get their work done. Certain in that location are built-from-the-ground-up secure operating systems, but they're meant for pinnacle-secret authorities projects (or whatever Apple is working on adjacent). For the rest of us, nosotros have to learn to work with existing commercial operating systems, and find ways to minimize the risks of data security lapses.
Here are three like shooting fish in a barrel-to-implement tips for boosting your file system security.
- Eliminate Everyone – The default Anybody group in Windows gives global access to a folder or file. You would recall that companies would brand sure to remove this group from a folder's ACL. Simply in our virtually recent annual Information Take chances Report, we've discovered that 58% of companies we sampled had over 100,00 folders open to every employee! Sure you'll need to grant Everyone if you're sharing the binder over the network, but make sure to remove from it from ACL and then do the following RBAC assay .
- Scroll Your Own Function-based Access Controls (RBAC)– Everyone has a chore or role in an arrangement, and each part has with it an associated set of access permissions to resources. Naturally, you assign similar roles to the same grouping, and and so employ to them the appropriate permissions, and then follow AGLP method from above. When implemented correctly, this should be like shooting fish in a barrel to maintain while reducing security risks. Yes, this does require more than a little administrative overhead to maintain.
- Minimal Least Privilege Permission – This is related to RBAC, but information technology involves focusing particularly on "appropriate" permission. With the least privilege model, yous skin down admission to the minimum that is needed for the function. Marketing may need read access to a folder controlled past the finance department, only they shouldn't exist allowed to update a file or maybe run some special financial software. Administrators demand to be ruthlessly stingy when granting permissions with this approach.
I lied. These tips are super-easy to sympathise, just not super-easy to implement! Yous'll demand some help …
We but happen to have a solution that volition make these peachy tips easier to put into practice.
Source: https://www.varonis.com/blog/protect-your-data-with-super-easy-file-security-tricks